Cisco Security Agent 5.1

Unanswered Question
Feb 27th, 2008
User Badges:

I have a erro message which i get constantly from my Desktop when applying policeis through Cisco Security Agent 5.1


error

1: Rues for kit:Test_mode_Desktop_v5.1.0.69 have complexity 7551 which exceeds maximum 7500


his error is constantly showing up in the Management center running through microsoft explorer web browser



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tsteger1 Wed, 02/27/2008 - 11:19
User Badges:
  • Red, 2250 points or more

You have too many items in your installation and need to delete some to get below the 7500 item limit.


Have you applied any hotfixes? If so, you could delete the older items not being used.


You can also delete items associated with OSs that you aren't using to reduce the number.


Tom

ptaylor51 Wed, 02/27/2008 - 17:56
User Badges:

Hi Tom


Thanks, what do you mean i have to many items in my installations. No hotfixes applied as of yet.

What are these errors associated with ?

tsteger1 Wed, 02/27/2008 - 22:52
User Badges:
  • Red, 2250 points or more

Hi Peter


It means you have too many groups, rules, app classes, variables, etc..


You need to reduce the number of individual items registered in the database in order to process the rules.


Try to consolidate and/or delete unused items.


If you don't have any Solaris or Linux hosts, that would be a good place to start.


Once you fall below this limit, it will allow you to generate the rules.


Tom

ptaylor51 Thu, 02/28/2008 - 04:36
User Badges:

Ok thanks very much for the information, i will keep you posted.


Peter

ptaylor51 Thu, 02/28/2008 - 10:03
User Badges:

HOw do i remove the linux groups, can i remove the test_mode_desktop for windows as well, were do i remove the app classes and variables from.

I initially went into alert kits and removed the Solaris but i still receive the same error. However it seems to be only for the Test_mode_Desktop for the windows rule. I'm some what confused how to proceed.


No fixes applied and i am not running R2 on my windows 2003 server.

tsteger1 Thu, 02/28/2008 - 10:46
User Badges:
  • Red, 2250 points or more

I'm talking about deleting rules, variables, policies, etc, not agent kits.


DO NOT remove the test_mode_desktop kit.


If you are confused about how to proceed, you should probably either attend a two day HIPS class or get one of the Cisco Press or other good books available.


If you decide to proceed, make sure you have a good full system and database backup before you start.


Good Luck,

Tom

ptaylor51 Fri, 02/29/2008 - 04:19
User Badges:

I understand, however in your firat email you said that i had to many things in my installation, and that i should remove things that are associated the the OS's.

This not what you are saying in your last post, you are now saying cleanup my Rules, variables and policies. These are not all the same thing.

So please clarify.


regards


Peter

tsteger1 Fri, 02/29/2008 - 15:59
User Badges:
  • Red, 2250 points or more

When I refer to 'items', I'm referring to rules, variables, policies, groups, hosts, etc...


Go to the search page and search for It will tell you the number of results and that is the number of 'items' you have.


Some are applicable only to a certain OS (Solaris, Linux or Windows) and you can modify your search to find just those.


I was suggesting deleting items for OSs you do not have.


That's what you need to work on getting below 7500 in order to generate your rules.


The test_mode_desktop agent kit for Windows (and Linux) are the default agent deployment kits that're created when you install the MC.


If you deploy agents with it and then delete it, any agents that re-register with the MC won't know which groups they belong to so will belong to none.


Tom

pmccubbin Sat, 03/01/2008 - 04:43
User Badges:
  • Silver, 250 points or more

Tom,


You are spot-on. Thanks for the explanation. I rate it a "5" for clarity.



Paul

pmccubbin Fri, 02/29/2008 - 04:51
User Badges:
  • Silver, 250 points or more

These are the two books which Tom is suggesting you peruse:


“Cisco Security Agent” by Chad Sullivan. Publisher: Cisco Press, 2005

“Advanced Host Intrusion Prevention With CSA” by Chad Sullivan. Publisher: Cisco Press, 2006.


They have helped me on numerous occasions.


Hope this helps.


ptaylor51 Fri, 02/29/2008 - 08:50
User Badges:

Thanks i will check them out.


I know this may be a stupid quesrtions however what is the puspose of the test_mode_desktop Kit anyway.


Peter

pmccubbin Sat, 03/01/2008 - 04:49
User Badges:
  • Silver, 250 points or more

Peter,


It's a good question so no worries.


The Test Mode Desktop Agent is an economizing device for rolling out CSA. It allows you to see how policies will effect your end users without negatively impacting them. Remember that in Test Mode the agent actively inspects but does not enforce rules.


You can easily begin a deployment with the Test Mode Agent and be fairly certain you are not going to have any issues. This is why I call it an economizing device as it saves you time and usually a lot of headaches.


Hope this helps.


Paul

Actions

This Discussion